问题
This is an elementary question however one I cannot seem to resolve by perusing the Oracle documentation. I've created an Ubuntu-based compute node, and it's attached to a subnet. In that subnet I've created a stateful rule with source 0.0.0.0/0, IP protocol: TCP, Source Port Range: All, Destination Port Range: 80.
There is no firewall configured on the server.
Despite this configuration I can't access the compute node's public IP. Any ideas?
回答1:
When deploying compute instances at Oracle Cloud Infrastructure you need to take into account few things:
- Create Internet Gateway (IGW).
- Define routes to point to IGW.
- Allow port 80 in the Security List associated with the IGW. By default you only have access to SSH and ICMP 3,4 type.
- Allow connectivity on Compute's instance firewall (which is enabled by default).
In your example if you are using a OEL shape:
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --reload
回答2:
I figured it out. The connectivity issue was due to Oracle's default use of iptables on all Oracle-provided images. Literally the very first thing I did when spinning up this instance was check ufw
, presuming there were a few firewall restrictions in place. The ufw
status was inactive, so I concluded the firewall was locally wide open. Because to my understanding both ufw
and iptables
look at the netfilter kernel firewall, and because ufw
is the de facto (standard?) firewall solution on Ubuntu, I've no idea why they concluded it made sense to use iptables in this fashion. Maybe just to standardize across all images?
I learned about the rules by running:
$ sudo iptables -L
Then I saved the rules to a file so I could add the relevant ones back later:
$ sudo iptables-save > ~/iptables-rules
Then I ran these rules to effectively disable iptables
by allowing all traffic through:
$ iptables -P INPUT ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -F
Anyway, hope this helps somebody else out because documentation on the matter is non-existent.
回答3:
If you local vm do not accept connection on port 80 by iptable rules, use as postet by vinodh
iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
that helped me out!
回答4:
i guess if you add the below rule to your iptables it should work else you will be disturbing other rules which is related to block volume attachment that comes pre-configured on those images.
iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
回答5:
Pre-Requisite
- VM instance should have been created and running
- Access to Public and Private keys used during the creation of VM instance
Log into the VM using SSH and run the following command
$ sudo iptables --list --line-numbers
It will show the details about Chain INPUT (policy ACCEPT). From the list required to Delete REJECT all rule in the IPTABLES.
$ sudo iptables -D INPUT <Reject Line number>
e.g.
$ sudo iptables -D INPUT 6
Check if the REJECT rule is deleted
sudo iptables --list --line-numbers
Access the Default Security List and Edit Ingress Rules to Allow Internet Traffic on Port
Edit the INGRES Rule Add CIDR 0.0.0.0/0 TCP Destination 9999 (N): Networking >Virtual Cloud Networks> Virtual Cloud Network Details>Security Lists> Security List Details
Access your application via web browser
Type http://<public IP address of the VM>:port
回答6:
credited to https://medium.com/@fathi.ria/oracle-database-cloud-open-ports-on-oci-1af24f4eb9f2
Coumputer Instance(Such as Ubuntu) -> Virtual Cloud Network -> Security List -> Ingress Rules -> Please add a rule to allow access to port 80 from anywhere
回答7:
If you have not created Internet Gateway yet, that might be the reason. In order to connect the VCN with the public internet you need to have an Internet Gateway and a route table to direct the traffic through the gateway.
来源:https://stackoverflow.com/questions/54794217/opening-port-80-on-oracle-cloud-infrastructure-compute-node